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Software Assurance through Economic Measures 
W&K INFO DEFENSE RESEARCH LLC 

Dave Kleiman 


W&K INFO DEFENSE RESEARCH LLC 
4371 Norhtlake Blvd #314 


Palm Beach 

FL 33410 - 6253 
5613108801 
NA 

274997114 


Craig Wright 


W&K INFO DEFENSE RESEARCH LLC 
4371 Norhtlake Blvd #314 


Palm Beach 

FL 33410 - 6253 
+61 2 4362 1512 
NA 

274997114 


W&K INFO DEFENSE RESEARCH LLC is a Joint Venture Company between a US Vet. 
Owned Enterprise and a Australian Research Company. 


Amount Requested (in dollars): $650000.00 
Duration: 36 months 
Requested Starting Date: 07/04/2011 


Business Type: Small Business 
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Executive Summary 


The deficiency of published quantitative data on software development and systems design has 
been a major ground for software engineering’s failure to ascertain a proper scientific 
foundation. Past studies into coding practice have focused on software vendors. These 
developers have many distinctions from in-house projects that are not incorporated into the 
practices and do not align well with in-house corporate code development. In the past, building 
software was the only option but as the industry developed, the build vs. buy argument has 
swung back towards in-house development with the uptake of Internet connected systems. In 
general, this has been targeted towards specialized web databases and online systems with office 
systems and mainstream commercial applications becoming a ‘buy’ decision. 


As companies move more and more to using the web and as ‘cloud applications’ become 
accepted, in-house development is becoming more common. This paper uses an empirical study 
of in-house software coding practices in Australian companies to both demonstrate that there is 
an economic limit to how far testing should proceed as well as noting the deficiencies in the 
existing approaches. 


1.1 Related Work 


Other studies of coding processes and reliability have been conducted over the last few decades. 
The majority of these have been based either on studies of large systems and mainframe based 
operations or have analyzed software vendors. In the few cases where coding practices within 
individual organization have been quantitatively analyzed, the organizations have been nearly 
always large telecommunications firms or have focused on SCADA and other critical system 
providers. 


Whilst these results are extremely valuable, they fail to reflect the state of affairs within the vast 
majority of organizations. With far more small to medium businesses coupled with 
comparatively few large organizations with highly focused and dedicated large scale 
development teams (as can be found in any software vendor), an analysis of in-house practice is 
critical to both security and the economics of in-house coding. 


As the Internet comes to become all persuasive, internal coding functions are only likely to 
become more prevalent and hence more crucial to the security of the organization. 


1.2 Our contribution 

We intend to present an analysis using empirical studies to determine and model the cost of 
finding, testing and fixing software bugs. We model the discovery of bugs or vulnerabilities in 
using quantitative functions and calculate the defect rate per SLOC (source line of codes) using 
Bayesian calculations. 

The end solution to the limited and sub-optimal markets that currently exist would be the 


creation of Hedge funds for software security. Sales in software security based derivatives could 
be created on forward contracts. One such solution is the issuing of paired contracts (such as 
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exist in short sales of stocks ). The first contract would be taken by a user and would pay a fixed 
amount if the software has suffered from any unmitigated vulnerabilities on the (forward) date 
specified in the contract. The paired contract would cover the vendor. If the vendor creates 
software without flaws (or at least mitigates all easily determinable flaws prior to the inception 
of the contract) the contract pays them the same amount as the first contract. 


This is in effect a 'bet' that the software will perform effectively. Ifa bug is discovered, the user 
is paid a predetermined amount. This amount can be determined by the user to cover the 
expected costs of patching and any consequential damages (if so desired). This allows the user to 
select their own risk position by purchasing more or less risk as suits both the risk tolerance and 
the nature of the user's systems. 


Such a derivative (if an open market is allowed to exist) would indicate the consensus opinion as 
to the security of the software and the reputation of the vendor. Such an instrument would allow 
software vendors and users to hedge the risks faced by undiscovered software vulnerabilities. 
These instruments would also be in the interest of the software vendor's investors as the ability to 
manage risk in advance would allow for forward financial planning and limit the negative impact 
that vulnerability discovery has on the quoted prices of a vendors capital. 


Utility to Department of Homeland Security 


The game theoretic approach to this can be modeled looking at the incentives of the business and 
programming functions in the organization. Programmers are optimists. As Brooks noted, "the 
first assumption that underlies the scheduling of systems programming 1s that all will go well". 
Testing is rarely considered by the normal programmer as this would imply failure. However, the 
human inability to create perfection leads to the introductions of flaws at each stage of 
development. 


This project will model the security of software coding practices in a manner that will lead to 
fewer economic externalities and a means of pricing security such that vendors and in-house 
developers could accept, offset or rectify predicted vulnerabilities. 


Technical Approach 


This proposal will use a set of formalized research topics and PhD research to answer several 
issues with software security that exist today leading to fewer technical flaws and safer systems. 


Just as car dealers buff the exterior and detail the upholstery of a used car, neglecting the work 
that should be done on the engine, software vendors add features. Most users are unlikely to use 
even a small fraction of these features, yet they buy the product that offers more features over the 
more secure product with fewer features. The issue here is that users buy the features over 
security. This is a less expensive option for the vendor to implement and provide. 


The creation of a security and risk derivative should change this. The user would have an upfront 
estimate of the costs and this could be forced back to the software vendor. Where the derivative 
costs more than testing, the vendor would conduct more in-depth testing and reduce the levels of 
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bugs. This would most likely lead to product differentiation (as occurred in the past with 
Windows 95/Windows NT). Those businesses will to pay for security could receive it. Those 
wanting features would get what they asked for. 


It is argued that software developers characteristically do not correct all the security 
vulnerabilities and that known ones remain in the product after release. Whether this is due to a 
lack of resources or other reasons, this is unlikely to be the norm and would be rectified by the 
market. The cost of vendors in share price and reputational losses exceed the perceived gains 
from technical reasons where the fix might break existing applications. The application is already 
broken in the instance of a security vulnerability. 


Users could still run older versions of software and have few if any bugs. The issue is that they 
would also gain no new features. It is clear that users want features. They could also choose to 
use only secure software, but the costs of doing so far outweigh the benefits and do not provide a 
guarantee against the security of a system being compromised. As such, the enforced legislation 
of security standards against software vendors is detrimental. A better approach would be to 
allow an open market based system where vendors can operate in reputational and derivative 
markets. 


At the end of any analysis, security is a risk function and what is most important is not the 
creation of perfectly security systems, but the correct allocation of scarce resources. Systems 
need to be created that allow the end user to determine their own acceptable level of risk based 
on good information. 


The goal of this research project is to create a series of quantitative models for information 
security that can be used to create a software security derivative and insurance market. 
Mathematical modeling techniques that can be used to model and predict information security 
risk will be developed using a combination of techniques including: 


° Economic theory, and Econometrics 
° Quantitative financial modeling, 

° Behavioral Economics, 

° Algorithmic game theory and 

° Statistical hazard/survival models. 


The models will account for heteroscedastic confounding variables and include appropriate 
transforms such that variance heterogeneity is assured in non-normal distributions. Process 
modeling for integrated Poisson continuous-time process for risk through hazard will be 
developed using a combination of: 


° Business financial data (company accountancy and other records), 
° Anti-Virus Industry data 
° Legal databases for tortuous and regulatory costs and 
° Insurance datasets. 
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This work and research follows and continues that published as: 


Wright, Craig S. and Zia, Tanveer A. (2010) The Economics of Developing Security 
Embedded Software, Proceedings of the 8th Australian Information Security Management 
Conference, Edith Cowan University, Perth Western Australia, 30th November 2010 
Charles Sturt University 


http://ro.ecu.edu.au/cgi/viewcontent.cgi?article=1101&context=ism 


and 
Wright, Craig S. (2010) Software, Vendors and Reputation: an analysis of the dilemma in 
creating secure software, Proceedings of InTrust 2010 The Second International 
Conference on Trusted Systems 13th — 15th December 2010 Beijing, P. R. China 
Charles Sturt University 

and (forthcoming) 


Wright, Craig S. and Zia, Tanveer A (2011) A Quantitative Analysis into the Economics 
of Testing Software Bugs, Proceedings of 4th International Conference on Computational 
Intelligence in Security for Information Systems CISIS 2011 June 8-10th, 2011 


Wright, Craig S. and Zia, Tanveer A (2011) A Rationally Opting for the Insecure 
Alternative: Negative Externalities and the Selection of Security Controls, Proceedings of 
4th International Conference on Computational Intelligence in Security for Information 
Systems CISIS 2011 June 8-10th, 2011 


Personnel and Performer Qualifications and Experience 
Craig S Wright 


Dave Kleiman 


Bob Radovsky 


Briefly describe the offeror’s qualifications and experience in similar development efforts. 
Present the qualifications of the principal technical personnel. Submission shall include the 
identification of at least two key personnel who, if a resultant award is made, will be subject to 
any key personnel clauses included in the resultant award. Describe the extent of your team’s 
past experience in working with or developing the technologies comprising your solution. For 
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submissions that include multiple organizations, all organizations must be identified. Include a 
description of what role each organization will play in the project, 


identify appropriate technical personnel for each organization, and each team member’s past 
experience in technical areas related to the white paper. 


Commercialization Capabilities and Plan 


Provide a brief summary of the offeror’s capabilities and experience in transitioning similar 
products to the marketplace, including previous business partnerships that can be leveraged. 
Describe the commercialization plan or other transition method for getting the technology into 
widespread use. 


Costs, Work, and Schedule 
Amount Requested (in dollars): $650,000.00 


Duration: 36 months 


The funding request will provide full scholarships and positions for three (3) PhD candidates to 
aide in the research and investigation of software security issues and solution, the creation of 
economic models and the publication of an expected 20-30 papers in this field. 


The period is set to three years which includes the completion of the PhD projects and the 
creation of the market, insurance and derivative models. 


° PhD Funding $240,000 
° Supervision $180,000 
° Survey and data Analysis $230,000 


The project will analyze a sample of at least 1,000 coding projects using existing static analysis 
tools, manual code review and related techniques. Where these methods are lacking, proposals 
and methods to integrate existing methods and to fill the gaps left will be created. 
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BAA Number: BAA 11-02-TTA 01-0127-WP 


Offeror Name: W&K INFO DEFENSE RESEARCH LLC 


Title 
Date: 07/04/2010 


Software Assurance through Economic Measures 





Photograph or artist’s concept: 

Provide a simple but sufficiently detailed graphic 
that will convey the main idea of the final 
capability/use/system prototype demonstration in 
an operational environment , and its technological 
methodology. 


Operational Capability: 

The project will analyze a sample of at least 1,000 
coding projects using existing static analysis tools, 
manual code review and related techniques. Where 
these methods are lacking, proposals and methods 
to integrate existing methods and to fill the gaps 
left will be created. 








Proposed Technical Approach: 
This project will address and provide measures and 
The analysis will measure the following coding 
errors: 
Format string errors 
Integer Overflows 
Buffer overruns 
SQL Injection 
Cross-Site scripting 
Race Conditions 
° Command Injection. 
Several published papers have been released 
(forthcoming include) 


Wright, Craig S. and Zia, Tanveer A 
(2011) A Quantitative Analysis into the 
Economics of Testing Software Bugs, 
Proceedings of 4th International 
Conference on Computational 
Intelligence in Security for Information 
Systems CISIS 2011 June 8-10th, 2011 


Wright, Craig S. and Zia, Tanveer A 
(2011) A Rationally Opting for the 
Insecure Alternative: Negative 
Externalities and the Selection of 
Security Controls, Proceedings of 4th 
International Conference on 
Computational Intelligence in Security 
for Information Systems CISIS 2011 
June 8-10th, 2011 


Schedule, Cost, Deliverables, & Contact Info: 
Provide any milestone decision points that will be 
required. Describe period of performance and total 
costs. Include the base performance period cost and 
length, and estimates of cost and lengths of 
possible option. 

Deliverables: 

20-30 published papers 

3 PhD Thesis' in the field 

A commercial model for software derivatives and 
insurance markets 


A means to measure and predict the following 
coding errors is being developed 

Format string errors 

Integer Overflows 

Buffer overruns 

SQL Injection 

Cross-Site scripting 

Race Conditions 

Command Injection. 


Corporate Information: 

Dave Kleiman 

W&K INFO DEFENSE RESEARCH LLC 
4371 Norhtlake Blvd #314 

Palm Beach 

FL 33410 - 6253 


Phone: 
Email: 


5613108801 
dave@davekleiman.com 





Authorized Representative: Craig Wright 


Signature: 
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